Right now this ISE requirement is for a sinlge site wireless users meaning no branches etc. no VPN users

Their intention is to use Wireless as primary means of communication even on the desktops. Currently they have around 400 desktops + Laptops .. all windows 8 & above, 100 personal devices (Android + iOS) and 10 to 20 Guests visitors in a day.

For internal employees, customer is looking for wireless security which can help him achieve high security standards like two factor authentication (not tokens) as well as to keep control on what I mentioned previously i.e. controlling the personal device login which generally are not part of AD domain. I believe certificate is one of the way to control these type of personal devices since they wont have certificates .. they wont to be able to access the network..... please let me know if there are other simpler ways. Having said that there would be VIP mgmt. users on the other hand who can not be denied access and would require access to enterprise wireless through their personal devices which would not be part of domain.... I am getting little confused about all such scenarios...as I have no idea of ISE implementation use cases.

For Guests, he wants differentiated access with sort of self provisioning forms where in user can provide his personal details and can get the password through SMS... I believe this can be achieve through ISE.. but don't know whether Base license will be sufficient or Advance would be required. Guests will be provided Internet only access.

You're right, you can use a user a machine certificate to authenticate your domain devices as the guest clients would not contain the certificate. You could also use machine authentication on your domain devices to verify the machine is a member of the domain without using certificates. Those two options would be the easiest. If you want to throw in the added check of the device type, you could configure profiling as mentioned earlier. 

For the VIP users you could create a whitelist endpoint group to catch their personal devices. For an example, please watch the following video: Youtube Whitelist tutorial. In the authorization rule you could state if Group and Wireless Name is X then permit access.

As for the guest, the self-registration guest flow with SMS notifications would be perfect based on your description. This configuration would only require the base license. If you were to configure device onboarding and provisioning for your guest, you would be required to get a plus license. In this flow, the guest would connect to the guest network and be redirected to a guest login page. If they do not have an account, they could click the link at the bottom of the page and create a new account which could then be used to login to the guest portal.

Thanks for the clarifications...Thomas .... it is really informative.

Specifically could you please elaborate more on machine authentication .. as in how it works..MAC address will be used as credential ..... Which EAP authentication method will be used etc..? Also can we combine machine authentication with user level authentication to control which users can login through authenticated machines. Additionally for profiling do we need ISE plus/advance license... ?

For guest, i am unable to understand the difference between self-registration and device onboarding & provisioning. Could you please help what is the exact working & differences between the two or any link which I can refer about all these scenarios....  As I understand, for self provisioning also guest will be redirected to a page where he will provide his basic details before getting an authorization. What enhancement onboarding & provisioning will provide to guest ?

I would summarize the following article but I think it would be a great read for you and could potentially answer all of your questions about machine authentication. If not, I would be happy to answer any followup questions.

http://www.networkworld.com/article/2940463/it-skills-training/machine-authentication-and-user-authentication.html

Profiling will require a Plus license

With some added configuration, the self-registration portal can add the functionality of Onboarding/Provisioning for AD users which authenticate to the portal. The flow would not apply to any Guest user as they are not deemed internal users. In the Onboarding/Provisioning flow, the user would be redirected to a device registration page after entering their credentials. At this point, they will register their device and then get redirected to the provisioning process where an application is installed on the device to install the new network profile and if configured, to issue a certificate to the client to be used for later authentications to the provisioned network.  In this flow, your internal users would not need to login to the guest portal with the provisioning devices again unless the endpoint is removed and/or the certificate provisioned expires.

Documentation: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-61-BYOD-Onboarding_Registering_and_Provisioning.pdf

Also, I have included the following videos as well. The first one shows the behavior and android 6 user would see when going through the provisioning process and the second one shows a use case for provisioning. I included the second video so you could watch the first few minutes on how to configure provisioning if that is a path you want to take.

Android Client Behavior

Provisioning Flow use case

I shall go through the content and will come back with follow up questions...

Really appreciate your support .... a BIG THANKS !!